Archive

In the wake of the Target, and now Home Depot, security breaches, Apple Pay wants to provide a safer way to make a purchase.

Nestled in-between this week’s announcements of the iPhone 6 and the Apple Watch, Apple CEO Tim Cook announced a new mobile payment system called Apple Pay. New iPhone and Apple Watch owners can leave their credit and debit cards at home because the devices come with a chip that lets them tap-to-pay at major retailers.

When you are in one of 220,000 participating stores, like McDonald’s, Walgreens, Disney, or Macy’s, you use the magic of near-field communication (NFC) to hold your phone by a terminal to pay. It also requires that you place your finger over a sensor to verify your fingerprint. The Apple Watch works the same way, without the added security of the fingerprint, and syncs to your iPhone 5, iPhone 5c, and iPhone 5s. The payment system will work with American Express, Mastercard, and Visa.

Sounds pretty good. But, Google Wallet, PayPal and other NFC systems have failed to really take off; will Apple give us a better way? I asked mobile malware analyst Filip Chytrý to share his thoughts about the security of Apple Pay.

Deborah: From a security perspective, what do you think about Apple Pay?

Filip: I have some concerns. Communications between your device or watch is through Bluetooth, and we have already seen many incidences of intercepted communication between two devices using a man-in-the-middle attack. Generally, anytime you use a pay system there is communication between the phone or watch over Bluetooth. This communication works over a much longer distance than NFC, so payment interception would be easier.

Deborah: I understand the convenience of paying with Apple Pay, but how is this more secure than paying with a credit card? Read more…

Do you know the notion “machine war”? If you’re a fan of the Matrix movie trilogy then probably, yes. It denotes the fictional rise of artificially intelligent machines against the human race and their violent conquest of human beings. We want to apply a similar dominance of computationally powerful machines, not to create a population of slaves, but against numerous malicious Android packages that wildly proliferate on unofficial markets.

The idea of malware detection with no human interaction appeared earlier on our blog. In a fundamental article about AVAST research activities by AVAST’s COO, Ondřej Vlček, he effectively described the technologies we employ to deal with Windows threats. Two techniques have been mentioned explicitly, Malware Similarity Search and Evo-Gen, both working with Windows PE file format. Sometimes the latter form of detection technique is denoted as weak automated anti-malware heuristic.

The main effort is to reach two slightly conflicting qualities at the same time: The robustness, which means that suggested methods cover as many threats as possible; and simplicity, so that the methods are easily implemented in AVAST’s mobile security solution. The search for balance between those qualities is assisted by lessons learned from automated heuristic for Windows PE executables.

Question of the week: What is the antivirus setting called DeepScreen?

DeepScreen is a new technology inside avast! Antivirus 2014. When you are about to run a suspicious program which is not yet known to the other core antivirus technologies, DeepScreen is invoked. Its task is to simply distinguish between good and bad software. Although it seems obvious and simple, it is not.

How DeepScreen uses The Force for good

This (magic) technology is served by two software components (the Jedi, if you will) which work hand-in-hand. One of them is well known from the past: The avast! Sandbox.

When a file is “DeepScreened,” it is actually run in the Sandbox, which is mainly responsible for keeping things isolated while watching for various high-level events and behavior of the program running. For example, it monitors the system call invocation and overall behavior of the program which is being executed. This seems to be just enough to distinguish between the Dark Side and the Light Side of the Force, but unfortunately, it is not that simple.

Firstly, how can you tell good and bad behavior apart? There are plenty of legitimate software products that use “weird” techniques to protect themselves. On the other hand, there is a bunch of malware samples that look innocent and behave well.

Secondly, malware is used to hiding away from the vigilant eyes of the Sandbox. The most common and powerful technique is encryption. In fact, there are more ways of encrypting and packing these well - known bad guys and rendering them undetectable than there are distinct malware samples.

With the latest version of avast! Antivirus 2014, this technology is fully involved in fighting the bad guys. Whenever DeepScreen runs something in the Sandbox, it also performs binary instrumentation of the process.

“It has become second nature to connect various apps like Instagram, SocialCam, Angry Birds, CityVille, and Spotify to your Facebook ID. You just click ‘agree’ without even really knowing what you are agreeing to. What you don’t realize is that social apps linked to your Facebook profile can pretty much track your and your friends’ whole life.”

This quote, from Christian Sigl (co-founder of secure.me, which is now part of AVAST), originally appeared in Mashable in September, 2012.

Back then, we wanted to give users a heads-up and create awareness to think twice before sharing personal data with apps – regardless if via smartphone or the Web. Part of the message was that you never know what can happen with your data and in whose hands it could end up in.

Today, we know where the data went: The NSA and its British counterpart, GCHQ, have accessed data from Angry Birds and other smartphone and tablet apps, including sensitive information like age, location, education level and sexual orientation. The data accessed was collected directly from phones including geolocation, handset model, handset ID, software version and more – but personal information like sexual orientation, age and education level probably came from social media connect options.

Rovio, the company behind Angry Birds, has reacted and denied that they provide data to the NSA. Instead, they point out that they will rethink relationships with the ad networks they work with. “The alleged surveillance may be conducted through third party advertising networks used by millions of commercial web sites and mobile applications across all industries,” Rovio announced.

Regardless of how this data landed on NSA desks, giving away your customer’s personally identifiable information to a third-party organization is never a good move.

Users couldn’t really have done anything to avoid their data from ending up with the NSA, the only preventative action that could have been taken would have been limiting the amount of personal data that could be collected from social networks. Social network data isn’t meta data, this is information people share voluntarily. So of course, we know today that the NSA can access very sensitive and personal information if they want to – they will find a way if you’re of interest to them. Most of us aren’t though and one thing you can do to limit the amount of data that’s collected is to avoid online oversharing with apps and social networks.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

We’ve got the tool you need when you’re on the road this holiday season and all year long! Stay safe when using public WiFi ‘hotspot’ networks and access your favorite content from your PC with no regional restrictions when you use avast! SecureLine VPN.

When you travel and need web access from different locations, you may find some sites blocked. Now you can use servers located in multiple countries (e.g. UK, USA, etc.) to access Geo-blocked websites like Netflix or Pandora.

You have until the end of the year to take advantage of 33% off a 1 year license for avast! SecureLine. Get it now!

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Would you like a sneak-peek into avast! Mobile Security version 3, avast! Anti-Theft and the debut of a new product, avast! Backup? We are looking for advanced users to participate in the avast! Mobile Security Beta test starting today. This Beta test will run for a full week in which time you can give us valuable feedback that we can incorporate into our product before going public to millions of users.

Click the product links on the right under ‘About this community’ and sign up as tester for our Beta program

Within 24 hours of the beta launch, you’ll see upgrades to avast! Mobile Security and avast! Anti-Theft in the Google Play Store. Our new product, avast! Backup will also be available to install from Google Play.!! Note that avast! Anti-Theft Advanced users (users who installed from our servers instead from Google Play) will need to send their IMEI to holzner at avast dot com to get their Anti-Theft client upgraded to the Beta version !!

In order to get your free premium test license, open any of our apps and click on the “Go Premium” button

This release incorporates a premium line on top of our free offering. You can learn more about the features on the avast! Mobile Securityforum.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on Facebook, Twitter, Google+ and Instagram.

It is my pleasure to officially announce the new Avast bug bounty program. As a security company, we very much realize that security bugs in software are reality. But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful that those that don’t. Therefore, we have decided to reward individuals who help us find and fix security-related bugs in our own software. This makes us probably the first security vendor with a reward program like this: I think it’s mainly because the other companies generally take the position that ‘Hey, we’re a security company. So we know security and it can’t happen to us.’ But in reality, that’s not what’s happening. Just look at bugtraq or the CVE databases and you will find that security software is no more immune to these issues than any other programs. A bit of irony, given that people generally install security software to fight security issues in the first place, isn’t it?

We at Avast take this very seriously. We know that being a market leader (Avast has more users than any other AV company in the world), we’re a very attractive target for the attackers. So, here’s our call to action: let’s unite and find and fix those bugs before the bad guys do!

Here’s how it works:

The bounty program is designed for security-related bugs only. Sorry, we’re not paying for other types of issues like bugs in the UI, localization etc. (nevertheless, if you find such a bug, we will of course very much appreciate if you report it).

This program is currently intended only for our product, i.e. not the website etc.

We’re generally only interested in these types of bugs (in the order of importance):

Remote code execution. These are the most critical bugs.

Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account.

Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process.

Escapes from the avast! Sandbox (via bugs in our code)

Certain scanner bypasses. These include include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware)

Other bugs with serious security implications (will be considered on a case by case basis).

The base payment is $200 per bug. Depending on the criticality of the bug (as well as its neatness) the bounty will go much higher(each bug will be judged independently by a panel of experts). Remote code execution bugs will pay at least $3,000 – $5,000 or more.

We might change these ranges based on the number and quality of incoming reports. Generally, the less reports we will get, the higher the bounty will go.

We will only pay for bugs in Avast itself. For example, if you find a bug in a Microsoft library (even if it’s used by Avast), please report it to Microsoft instead (it would be great if you could also notify us, but unfortunately, we cannot offer any reward in such cases).

The program is currently limited to consumer Windows versions of Avast (i.e.: Avast Free Antivirus, Avast Pro Antivirus, and Avast Internet Security). Only bugs in the latest shipping versions of these products will be considered.

Payment will be done preferably by PayPal. If you can’t accept PayPal (e.g. because it doesn’t work in your country), please get in touch with us and we will try to figure out something else.

Because of certain legal restrictions, we cannot accept submissions from the following countries: Iran, Syria, Cuba, North Korea and Sudan.

It is the researcher’s own responsibility to pay any taxes and other applicable fees in their country of residence.

In order to be eligible for the bounty, the bug must be original and previously unreported.

If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first.

You must not publicly disclose the bug until after an updated version of Avast that fixes the bug is released. Otherwise, the bounty will not be paid.

The bounty will be paid only after we fix the issue (or, in specific cases, decide to not fix it).

Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely fashion. We appreciate your patience.

Employees of AVAST and their close relatives (parents, siblings, children, or spouse) and AVAST business partners, agencies, distributors, and their employees are excluded from this program.

We reserve the right to change the rules of the program or to cancel it at any time.

How to report a bug and qualify for the bounty:

Please submit the bug to a special email address bugs@avast.com

If you’d like to encrypt your email (recommended), please use this PGP key.

A good bug report needs to contain sufficient information to reliably reproduce the bug on our side. Please include all information that may be relevant – your exact environment, detailed bug description, sample code (if applicable) etc. It also needs to contain a decent analysis – this is a program designed for security researchers and software developers and we expect certain quality level.

You will receive a response from an Avast team member acknowledging receipt of your email, typically within 24 hrs. If you do not receive a response, please do not assume we’re ignoring you – we will do our best to follow up with you asap. Also, in such a case it is possible your email didn’t make it through a spam filter.

Finally, I’d like to say thanks to everyone who helps to find and fix bugs in our products. Hopefully, this new reward program will take this initiative to a whole new level.

Happy [bug]hunting!

P.S. The bug bounty rules are also available on our main website here.

The Avast Research Lab is where some of the Avast’s brightest brains essentially create new ways of detecting malware. These are either features inside the product (such as FileRep and autosandboxing, including all of its recent development) as well as components that run on our backend – i.e. things that users don’t necessarily see but that are equally important for the overall quality of the product.

In fact, working on the backend stuff takes up more of their time these days, as more and more intelligence in Avast is moving to the cloud and/or is being delivered in almost real time via the avast! streaming update technology. Read more…

Today, we have released a brand new avast! program update, version number 7.0.1473. It’s the last program update we plan to do before version 8 (slated for Q1 2013). I’d like to take this opportunity and explain some of its new features.

First and foremost, the new version is fully compatible with Windows 8 – scheduled to finally hit the stores this Friday. The changes we have made went well beyond just making sure everything works. For example, we had to replace the internals of the Network and Web Shields to accommodate the new networking APIs in Windows 8. Also, we had to make sure avast! plays nicely with the new Windows Security Center and that it correctly handles certain scenarios that are new to Windows 8.

This version of avast! will shortly be officially certified with the Windows 8 Compatible logo, and will be included in the new Windows Store.

avast! Free Antivirus just earned another VB100 award, this time in the August 2012 Virus Bulletin comparative review for Windows 7 – with a perfect score of 100%.

According to the review, avast! “routinely elicits warm, affectionate smiles from the test team, with this month’s submission promising more of the same.” As well, we were told that “Avast earns another VB100 award fairly easily” in this case.

We offer much thanks to our beta testers, our developers, and our QA team for all their hard work in making software that is easy to stand behind.